3vd8b (3vd8b) asked a question.
For Cisco VPN, how can I can I enable primary authentication using Cisco ISE -MS AD and secondary authentication using okta
I am trying to set up two factor authentication for VPN access using Cisco ASA. I need the primary authentication to go to Cisco ISE which will authenticate with Active Directory. I want the secondary authentication to be sent to Okta where Okta will do a Push to Okta Verify. Is this doable. If so, any documentation no how to go about it. I ready most of the documents on Cisco VPN integration using a RADIUS agent and have that working.
Unsupported tag error.
Yes, you can do this. When you add the Okta RADIUS App, there's a configuration item in the "Sign On" tab for "Okta performs primary authentication" and you can disable it.
See the "2FA Only (Passwordless Mode)" section of the "Configuring RADIUS applications in Okta" documentation linked below:
help.okta.com/en/prod/Content/Topics/Security/Okta_Radius_App.htm
And you'll probably also want to read the "Installing and Configuring the Okta RADIUS Server Agent" doc and "Cisco ASA VPN - Configuration Guide" linked below:
help.okta.com/en/prod/Content/Topics/Directory/Agent_Installing_the_Okta_Radius_Agent.htm
support.okta.com/help/s/article/Cisco-ASA-VPN-Configuration-Guide